@Gargron S3 ACL is a simpler legacy mechanism, a DENY always has priority on an ALLOW for the same object. Also if you make a bucket public but restrict access to some objects through ACL, it supposes to work as intended. But my recommendation would be not to set a bucket public if not all of its content should be public as well as using IAM instead of ACL:

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/